########################################################################### # Exploit Title : WordPress lbg_zoominoutslider Plugins 5.0.3 File Information Exposure # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 14/01/2019 # Vendor Homepage : lambertgroupproductions.com # Software Download Link : codecanyon.net/item/responsive-zoom-inout-slider-wordpress-plugin/2950062 codecanyon.net/item/jquery-slider-zoom-inout-effect-fully-responsive/2457203 # Software Information Link : themesinfo.com/wordpress-plugins/wordpress-lbg_zoominoutslider-plugin-dkf7 # Software Price : 22$ # Tested On : Windows and Linux # Category : WebApps # Affected Versions : 3.8.28 - 3.9.26 - 4.7.12 - 4.3.18 - 4.5.16 - 4.6.13 - 4.8.8 4.9.4 - 4.9.9 - 4.9.x - 5.0.3 # Exploit Risk : High # Google Dorks : inurl:"/wp-content/plugins/lbg_zoominoutslider/" # Vulnerability Type : CWE-200 [ Information Exposure ] CWE-538 [ File and Directory Information Exposure ] CWE-22 [ Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') ] ########################################################################### # Impact : ******** * WordPress lbg_zoominoutslider plugins 5.0.3 and other versions is prone to an arbitrary file disclosure vulnerability because it fails to properly sanitize user-supplied input. * An attacker can exploit this vulnerability to view local files in the context of the web server process, which may aid in launching further attacks. * An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information. * The product stores sensitive information in files or directories that are accessible to actors outside of the intended control sphere. * The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. ########################################################################### # Exploit : *********************** /wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php /wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php?page=lbg_zoominoutslider_Manage_Sliders /wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php /wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php?page=lbg_zoominoutslider_Playlist /wp-content/plugins/lbg_zoominoutslider/tpl/banners.php /wp-content/plugins/lbg_zoominoutslider/tpl/help.php /wp-content/plugins/lbg_zoominoutslider/tpl/overview.php /wp-content/plugins/lbg_zoominoutslider/tpl/overview.php?page=lbg_zoominoutslider_Manage_Sliders /wp-content/plugins/lbg_zoominoutslider/tpl/overview.php?page=lbg_zoominoutslider_Add_New /wp-content/plugins/lbg_zoominoutslider/tpl/overview.php?page=lbg_zoominoutslider_Help /wp-content/plugins/lbg_zoominoutslider/tpl/playlist.php /wp-content/plugins/lbg_zoominoutslider/tpl/playlist_elements_over_image.php /wp-content/plugins/lbg_zoominoutslider/tpl/preview.html /wp-content/plugins/lbg_zoominoutslider/tpl/settings_form.php ########################################################################### # Video Tutorials => Installation – youtube.com/watch?v=OiuT8zxKmpI How To Create A Slider – youtube.com/watch?v=xYrOMaUalso How To Add The Layers – youtube.com/watch?v=nIxHarBvEP4 How To Use It As FullScreen Background For A Single Page/Post- youtube.com/watch?v=7SKWd2fspg8 How To Use It As FullScreen Background For Entire Website- youtube.com/watch?v=PoqrBup7QrM ########################################################################### # Example Vulnerable Site : ************************* [+] dorianorchestra.ro/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] stereoptik.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php [+] villamahal.com/wp/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php [+] domainedelajeanne.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php [+] fondationsaintirenee.org/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php [+] filenscene.org/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php [+] heartandhandswine.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php [+] swordstravel.co.uk/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php [+] gobeklitepe.info/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php [+] villa-sanctamaria-motovun.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php [+] falafelhouseflorida.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php [+] callisons.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php [+] alexandercapitallp.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php [+] hdlogistica.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php [+] scottgbrown.co.uk/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php [+] apartamentspa.eu/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php [+] faithofthenations.org/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php [+] timnicholsonracecars.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php [+] lartisan-numerique.com/_PROJ_/EPSETOISE/wp-content/plugins/lbg_zoominoutslider/tpl/add_playlist_record.php [+] theflowerpot-macclesfield.co.uk/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] masdespetitsloups.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] anholter-schweiz.de/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] corevc.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] 247snacks.ca/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] delicream.co.il/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] new.zoompanningeffectslider.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] spinesportspt.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] cspro82.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] flatwaterkayaker.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] dalaman.bel.tr/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] denver.haleexpo.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] saar2.shakedeal.co.il/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] salonsbocaraton.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] baronsestateagents.co.uk/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] omar-khayyam.co.uk/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] samplemcdougald.org/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] luxusurlaub-weltweit.de/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] light-pro.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] sebreflex-photographies.fr/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] paysagiste-bouvard-chaillevette.fr/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] henkaconsulting.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] jmconcreting.com.au/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] worthing10k.co.uk/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] pacificappraisers.com/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] 0800strippers.co.nz/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php [+] naturo.us/wp-content/plugins/lbg_zoominoutslider/tpl/add_banner.php ########################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ###########################################################################